GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

New payment player flexes muscle


Industry Update

Interchange dodges a bullet

Two more terminal types under PCI SSC umbrella

Small-business confidence rising

Contactless faring well

Terrorism funded with stolen data

Flying for wishes, Isaacman sets record

Visa Inc. interchange rates as of April 2009


Data security dominates ETA Expo

Selling Prepaid

Prepaid in brief

The Fair Gift Card Act of 2009:
Good intentions, disastrous results

Brad Fauss
Springbok Services Inc.

The ISO challenge: Selling prepaid

Drilling down on the prepaid-unbanked relationship


Protect merchants with the basics

Biff Matthews
CardWare International

The drive toward integrated solutions

Robbie Lopez

Extending security beyond assessments

Michael Petitti


Street SmartsSM:
What does your billboard say?

Jon Perry and Vanessa Lang

What it takes to thrive in business

Curt Hensley
CSH Consulting

PCI: Taking the proper path

Tim Cranny
Panoptic Security Inc.

Facing the elephants

Jeff Fortney
Clearent LLC

Company Profile

Merchant Cash and Capital

New Products

Private pathway for POS data

Company: Apriva

Boundless processing


Revenue streams through referrals

AdvanceMe Inc.


Capitalizing on distractions


2009 Calendar of events



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 11, 2009  •  Issue 09:05:01

previous next

PCI: Taking the proper path

By Tim Cranny

The Payment Card Industry (PCI) Data Security Standard (DSS) is becoming increasingly visible - and painful - to almost everyone in the payments industry, but the distress can be minimized with the right approach and understanding of what is really going on.

A mistake many ISOs, processors, banks and even security solution vendors make is to think of PCI as a security issue only. PCI must be treated as a business challenge: Those who ignore this wind up with a series of narrow technical successes that fail to add up to real business success, a situation all too common today.

Diligence pays off

Implementing changes required by the PCI DSS can be slow and painful. PCI compliance is a business problem because the security measures are targeting business operations. Compliance failure comes with significant penalties, such as fines; the threat of permanent damage to a company's reputation; and the inability to be PCI DSS certified.

Furthermore, the PCI DSS is a complicated business issue because it is trying to get everyone in the payments industry to change certain core business behaviors, including:

Substantive changes are always painful and difficult to make. The promised rewards seem close but often never quite arrive. That means the industry as a whole needs to use every tool possible to decrease its pain while actively rewarding those who make the effort to do the right thing.

Although there has been movement in this direction, we are not there yet. The right strategy for PCI implementation is neither obvious nor simple.

So it's not surprising that few ISOs, banks and processors have found the right strategy for dealing with the PCI DSS. However, the payments industry can take action to ameliorate this problem. It's important to keep the following ideas in mind when addressing this issue and seeking effective solutions.

Focus on the big picture

It's easy to see validation - the "paperwork" of PCI - or even compliance as the real target of the PCI DSS, but that is shortsighted and an ineffective way to address the full scope of what PCI entails.

Everyone's goal throughout this process should be improved security, which is genuine control over the risks that arise from using information systems. PCI compliance is only a bonus feature of the real, constructive things you should be doing.

Think about what your challenges are. The details of PCI compliance are not the same for everyone. The right strategies and solutions for one organization might be a poor fit for another.

One example is that larger, more sophisticated merchants have one set of security needs and challenges, while the vast number of smaller merchants have a completely different set. This puts different types of stress on their partners and service providers.

Watch out for sharks

Be deeply suspicious of security vendors who promise to solve every problem and specialize in providing every possible type of solution. Some of them are essentially saying, "You're in luck. As it happens I'm a heart surgeon, a mechanic and I do windows." Instead of falling for this, identify solutions and partners that work to solve your specific business issues and problems.

Choose the right tools. One of the ways in which the PCI DSS is still immature is that those shaping the entire program are not using the full set of tools to get the job done. There is significant focus on trying to get the right behavior out of banks, ISOs and merchants via penalties and threats. However, there should be more emphasis on incentives and rewards.

I believe that with the right technologies and services, PCI compliance can and should be driven by letting ISOs and others make reasonable profits from driving the desired changes forward.

Take charge

Resistance to the idea that solving this problem is up to us typically comes from security specialists who underestimate the business challenges involved and who think it should all be done only one way. But this sort of mandate-driven thinking is essentially a hangover from the days when security was largely a governmental issue.

The PCI DSS is tackling a very different problem, and we are already seeing new solutions and new approaches to PCI implementation.

One other thing to keep in mind is that data security and PCI compliance are always an ongoing process, not an event that pops up on your calendar and then can be forgotten until next time. True security requires changes in daily habits and operations, which is another reason why ongoing rewards are valuable, and annual audits and penalties should not be the main tool for driving the process.

Audits and paperwork are similar to annual health checkups: an important tool, but if you're trying to get and stay healthy you shouldn't just circle that day on your calendar and think in terms of getting through the test.

We've all seen major security breaches recently where the company in question, and even the auditors, seemed to care more about the test than the underlying reality of the breaches' causes and effects.

Reach out to partners

Work with your partners. The PCI DSS emphasizes that your security is not completely contained inside your own world. You are dependent on your partners, vendors, ISOs and overall supply chain in inescapable ways, increasingly making security compliance a collective responsibility.

That means in-house and home-grown solutions are going to become more awkward and ineffective because they put up barriers to sharing and coordination. Ideally, what you should look for is a solution that creates a common way for you and your partners to work together.

While doing so, keep in mind that your partners are different from you. They will need a solution that recognizes those differences and one that doesn't force you into a one-size-fits-all straightjacket.

Keep an eye on your vendors. PCI is a new world, and in many ways, it's still like the Wild West. Most vendors are looking to expand their customer base, and too many - even ones with a good reputation when it comes to their core offerings - are doing so by promising things they can't deliver or that simply don't exist. Take the time to put them to the test, rather than rely on reputations based on other products or other times.

Being cognizant of these issues will help you put together a solution that gives you what you really need - successes with the narrow technical issues that actually build to make business success and that let you take on the challenges of PCI in an efficient, productive way.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios